It was discovered that RT::Authen::ExternalAuth, an external authentication module for Request Tracker, is vulnerable to timing side-channel attacks for user passwords. Only ExternalAuth in DBI (database) mode is vulnerable. Upstream patch: https://forum.bestpractical.com/t/security-vulnerabilities-in-rt-2017-06-15/32016 References: https://www.debian.org/security/2017/dsa-3882 https://www.debian.org/security/2017/dsa-3883
Created rt tracking bugs for this issue: Affects: fedora-all [bug 1475084]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.